'What permission is required to remove or add resource lock for Azure SQL with Terraform on Azure Pipeline

I have prod subscription where deploying pipeline fails because of permission missing. My Azure AD user have no permission to create or remove locks of Azure SQL.

I wonder what and how to configure user permission so that Azure Pipeline can create, edit or remove resource locks?

TERRAFORM:

resource "azurerm_management_lock" "hellodb_lck" {
  for_each = var.databases
  name       = "can-not-delete"
  scope      = azurerm_sql_database.hellodb[each.key].id
  lock_level = "CanNotDelete"
}
terraformazure-pipelinesazure-sql


Solution 1:[1]

Per documentation the options on permissions to manage locks (each of these is an or):

  • User account has elevated rights to the Owner or User Access Administrator role. These two roles are part of the root tenant group for your Azure Tenant.
  • User account has access to Microsoft.Authorization/*
  • User account has access to Microsoft.Authorization/locks/*

Microsoft.Authorization Type

There are multiple different built-in roles and Resource permissions that allow a user to manipulate the locks on a resource.

A built-in role that has the required access would be User Access Administrator role as it is given Managed Authorization (aka Microsoft.Authorization/*).

As well, an Owner of a resource is granted * so it inherits the ability to control the locks on the resources as well. Anything under a Contributor on the resource itself does not have the required permissions as they are only given sub types of the Microsoft.Authorization (e.g. Microsoft.Authorization/*/deletes)

Solution 2:[2]

This Azure documentation shows that it's either the built-in Owner or User Access Administrator roles or custom roles with the right action, that are allowed to manipulate locks.

To create or delete management locks, you must have access to Microsoft.Authorization/* or Microsoft.Authorization/locks/* actions. Of the built-in roles, only Owner and User Access Administrator are granted those actions.

See Shawn's answer for a more detailed explanation.

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 Shawn Melton
Solution 2

Related Questions

Terraform update Route53 DOMAIN NameServers

Terraform update Route53 DOMAIN NameServers

Terraform update Route53 DOMAIN NameServers

How to enable terraform module only with a specific workspace

Use terraform to set up a lambda function triggered by a scheduled event source

Use terraform to set up a lambda function triggered by a scheduled event source

Terragrunt ignores newly added outputs in a project

tls unsigned certificate when using terraform

What is the best way to solve `EntityAlreadyExists` error in terraform?

Terraform: How to create API Gateway endpoints and methods from a list of objects?

Terraform - refactoring modules: Error: Provider configuration not present

Passing multiple provider aliases to a module in terraform 0.12.13

What is the AWS Service Principal value for stepfunction?

Terraform - Use of environment variables in TF files

Terraform : Init